The Sri Lankan government has drafted a Cyber Security Bill to protect vital information and essential services from cyber attacks, reports Daily News. The bill gives the government the power to establish a Cyber Security Agency, the Sri Lanka Computer Emergency Readiness Team, and the National Cyber Security Operations Centre to protect “critical information infrastructure” necessary for the continuous delivery of essential services. The draft bill is awaiting cabinet approval and will be presented thereafter to the Parliament, according to the non-cabinet minister of Digital Infrastructure and Information Technology Ajith P Perera. He added that a public consultation on the bill will be held on June 6.

Understanding the Cyber Security Bill

Objective of the Bill

The aims of the Bill are to (i) ensure the effective implementation of the National Cyber Security Strategy in Sri Lanka; (ii) prevent, mitigate and respond to cyber security threats and incidents effectively and efficiently; (iii) establish the Cyber Security Agency to strengthen the institutional framework for cyber security and (iv) protect the critical information infrastructure.

In November 2018, the Government of Sri Lanka had introduced country’s first Information and Cyber Security Strategy to be implemented over a period of five years, from 2019 to 2023. It was aimed at creating a trusted and resilient cyber security ecosystem.

What is ‘Critical Information Infrastructure’?

Critical Information Infrastructure (CII) includes all computers or computer systems located wholly or partly in Sri Lanka that are necessary for the continuous delivery of essential services for public health and safety, privacy, economic stability, national security, international stability, and for the sustainability and restoration of critical cyberspace. It also includes any computer system that, if disrupted, would have a serious impact on the functioning of the government.

Cyber Security Agency of Sri Lanka

  1. Establishing a new Cyber Security Agency: The Bill proposes the establishment of a Cyber Security Agency as the “Apex and Executive body” for all matters relating to cyber security policy in Sri Lanka. It will be responsible for the implementation of the National Cyber Security Strategy, “including preparation and execution of operational strategies, policies, action plans, programs and projects”.
  2. Management and administration of the agency lies with a board of directors consisting of:
    • secretaries of ministries of defense and public administration,
    • a member-nominated SL-CERT board,
    • secretary to the ministry responsible for implementation of the proposed act, and
    • three expert members appointed by the the minister.
  3. Powers and functions: One of its main functions is to identify and recommend the Minister responsible for designating a computer or computer system as CII and developing strategies to protect it. The Agency will act as the central point of contact for all government institutions and other relevant sectors for cyber security measures. It will ensure compliance by requesting compliance reports from designated CIIs and other government institutions, which will include cyber security assessment and information about the steps taken to protect CII. The Agency or any officer authorized by it will, on reasonable grounds, have the power to enter, inspect and search the premises of designated CIIs, and examine any documents, records and persons pertaining to them.
  4. Information Security Officer (“ISO”): The Bill provides for the appointment of an “Information Security Officer” to each public institution or department. Every ISO will ensure the compliance of these institutions and departments with the prescribed standards.

Institutional framework to assist the agency

The new Bill also proposes to empower the Sri Lanka Computer Emergency Readiness Team (SL-CERT) and National Cyber Security Operations Centre to implement the National Cyber Security Strategy of Sri Lanka (NCSOC). It says the CERT will be “the national point of contact for handling cyber security incidents in Sri Lanka” and will assist the agency by providing national-level cyber threat intelligence and conducting reactive cyber security services to prevent or mitigate the damage from cyber security incidents.

Further, the concerned minister, with the concurrence of the Agency, may designate the CERT or any institution established by the Agency as the new NCSOC. The NCSOC will monitor the designated CIIs, identify potential cyber security incidents, gather cyber threat intelligence and provide such information to law enforcement authorities, CERT and to the Agency. It will help the Agency facilitate a coordinated response to prevent, detect, and investigate cyber security incidents.

The owner of CII

The CII may be in public or private institutions. The head of the organization will be deemed the “owner” of the CII, and will be responsible taking all necessary steps to protect it as prescribed in the Bill. This includes conducting security assessments, implementing a protection plan and notifying the Agency and CERT about any cyber security incidents. If the CII is spread across multiple organizations or sectors, the heads of all such organizations or sectors will be jointly responsible for protecting it.

Offences and Penalties

Every CII owner who fails to fulfil his or her obligations under the proposed Act without any reasonable cause, including failing to report cyber security incidents to the Agency and CERT, will have committed an offence. If convicted, he or she will face up to two years in jail, a fine of up to 200,000 Sri Lankan rupees (approx Rs 79,000), or both. An ISO who fails to perform his or her duties can be charged with an offence, the bill says. It also says that the head of any institution who fails to facilitate an ISO will have commited an offence. If an offence is committed by a corporation, every director or officer will be responsible, and if committed by a firm, every partner will be responsible.

However, it adds that no person will be guilty of an offence if he can prove it was committed without his knowledge or that he exercised all due diligence to prevent it. Prosecution under the proposed Act can only be instituted by the Agency or an officer authorized by it, the Bill says.

Other powers of the Minister

“Minister” in the proposed Act, means “the Minister assigned the subjects and functions relating to cyber security”. He or she will have the power to give general or special directions to the Agency from time to time, to ensure effective compliance. He will also have the power to make regulations about, among other things, the criteria for the designation of CII; the responsibilities of the owners of CII; and the procedures and timelines for conducting cyber security risk assessments and audits.